CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/06/15 6:26 p.m.•5 views

Malicious code in cardano-addresses-docs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75 package.json declares a preinstall hook node index.js that runs automatically on npm install. index.js collects host identifiers os.hostname,...

5.3AI score

OSSF Malicious Packages•added 2026/06/15 3:9 p.m.•7 views

Malicious code in hemi-earn-actions (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c On npm install, the package's preinstall script postinstall.js collects host metadata hostname, username, cwd, npm config and iterates process.env,...

5.3AI score

OSV•added 2026/06/13 6:58 a.m.•6 views

MAL-2026-5733 Malicious code in node-app-doctor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e collect.js gathers host identifiers via os.hostname and os.homedir, reads local filesystem state with fs.existsSync, spawns childprocess commands, an...

5.4AI score

Exploits0References3

OSSF Malicious Packages•added 2026/06/11 6:52 a.m.•8 views

Malicious code in clean-my-pc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6 The package's collect.js imports childprocess, fs, http, https, and os, gathers host identifiers via os.hostname and os.homedir, reads files from the...

OSSF Malicious Packages•added 2026/06/11 4:36 a.m.•8 views

Exploits0References6

Malicious code in qa-handoff (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4939e56124668b7d03f9e2a96dfbfedba53e24aaa5d2190e298547e724b1f851 On npm install, the package automatically executes lib/setup.js via the postinstall lifecycle hook. The script spawns a detached Node process that...

OSV•added 2026/06/11 4:36 a.m.•9 views

MAL-2026-5571 Malicious code in qa-handoff (npm)

OSSF Malicious Packages•added 2026/06/11 12:28 a.m.•9 views

Malicious code in @entos-ems/xerxes-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b On npm install, package.json's preinstall: node index.js hook fires automatically and runs a reconnaissance beacon. index.js collects host identifier...

OSV•added 2026/06/11 12:28 a.m.•9 views

MAL-2026-5537 Malicious code in @entos-ems/xerxes-client-js (npm)

OSV•added 2026/06/09 4:6 p.m.•6 views

MAL-2026-5393 Malicious code in @sflyinc-knapsack/shutterfly-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d On require/load, index.js collects host identifiers os.hostname, os.userInfo, os.homedir, DNS server configuration, package.json metadata, and dirnam...

OSSF Malicious Packages•added 2026/05/25 2:16 p.m.•7 views

Malicious code in wml-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d65cdf836cae85d721f6a982c5941bd18037d4a3554ec4b69cd5828591ee0e20 [email protected] declares preinstall: node poc.js in package.json, so npm install automatically runs poc.js with no consent step. poc.js iterate...

OSSF Malicious Packages•added 2026/05/22 2:4 p.m.•10 views

Malicious code in osep-react-antd (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9373e8880ad89854cc168b48a36c59bd72abfaf220e08fb751b948f0c4d8ddfb package.json declares preinstall: node index.js, which runs automatically on npm install. index.js collects host identifiers os.hostname,...

OSSF Malicious Packages•added 2026/05/22 1:21 p.m.•9 views

Malicious code in share-anything-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 290f9dadaf589349dd8a7c641450aca713a6ead63b2ba685c15e4e6a37ab3b07 The package's package.json declares a postinstall lifecycle hook "postinstall": "node install.js" that runs install.js automatically on npm install...

5.8AI score

OSV•added 2026/05/22 1:21 p.m.•6 views

MAL-2026-4668 Malicious code in share-anything-cli (npm)

5.8AI score

OSV•added 2026/05/20 2:11 a.m.•7 views

MAL-2026-4534 Malicious code in color-style-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087 On npm install, all three lifecycle hooks preinstall, install, postinstall execute postinstall.js, which harvests installer secrets and exfiltrates...

OSV•added 2026/05/20 12:31 a.m.•5 views

Exploits0References6

MAL-2026-4427 Malicious code in @rocketreach/rr-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1c16148ad4c13ad5d5cbfe951d9ca934a0912ab5ad75c3b4afee19be86172fa On npm install, both preinstall and postinstall lifecycle hooks execute postinstall.js, which collects host identifiers hostname, platform, arch, OS...

CNNVD•added 2025/05/01 12:0 a.m.•2 views

Elastic Agent 安全漏洞

Elastic Agent is a single agent from the Dutch company Elastic. Logs, metrics, traces, availability, security and other data can be collected from each host. A security vulnerability exists in Elastic Agent that stems from an uncontrolled introduction of functionality from untrusted control areas...

7.8CVSS6.8AI score0.00168EPSS